[Bug] Latest testing, group permissions allows user role to delete password entries (and revoke password collections) via extension. #1065

New Issue

MrUnknownDE · 2026-04-06T01:34:12+02:00

MrUnknownDE commented

2026-04-06 01:34:12 +02:00

Originally created by @jb2barrels on 7/6/2024

Subject of the issue

Latest testing, group permissions allows user role to delete password entries (and revoke password collections) via extension.

Deployment environment

vaultwarden version: Latest testing
Install method: Docker - vaultwarden/server:testing
Clients used: 2024.6.2 (Browser Extension, Google Chrome)
MySQL/MariaDB or PostgreSQL version: Postgres
Other relevant details: Web vault properly shows password collection checkboxes as grayed out when attempting to modify a password entry's collections as the user role. On the Bitwarden extension, these boxes are not greyed out and allow you to succesfully update a password entry's collections. Additionally the user role is able to delete passwords in the organization.

Expected behaviour

User role should be unable to revoke collection permissions using the Bitwarden extension. Additionally I assume they should also be unable to delete passwords from the organization, unless they are a higher role?
Since the web vault works as expected for not being able to revoke an entries collections, I assume maybe a specific API call the extension does also needs to be updated?

Troubleshooting data

This is related to the changes after the following merged pull request:

https://github.com/dani-garcia/vaultwarden/pull/4592 @stefan0xC (Which also related to https://github.com/dani-garcia/vaultwarden/issues/4588 )
The pull request fixed the manager role's ability to modify password entry collections, but instead traded off the issue with providing user's role more permissions then allowed.

*Originally created by @jb2barrels on 7/6/2024* ### Subject of the issue Latest testing, group permissions allows user role to delete password entries (and revoke password collections) via extension. ### Deployment environment * vaultwarden version: Latest testing * Install method: Docker - vaultwarden/server:testing * Clients used: 2024.6.2 (Browser Extension, Google Chrome) * MySQL/MariaDB or PostgreSQL version: Postgres * Other relevant details: Web vault properly shows password collection checkboxes as grayed out when attempting to modify a password entry's collections as the user role. On the Bitwarden extension, these boxes are not greyed out and allow you to succesfully update a password entry's collections. Additionally the user role is able to delete passwords in the organization. ### Expected behaviour User role should be unable to revoke collection permissions using the Bitwarden extension. Additionally I assume they should also be unable to delete passwords from the organization, unless they are a higher role? Since the web vault works as expected for not being able to revoke an entries collections, I assume maybe a specific API call the extension does also needs to be updated? ### Troubleshooting data This is related to the changes after the following merged pull request: - https://github.com/dani-garcia/vaultwarden/pull/4592 @stefan0xC (Which also related to https://github.com/dani-garcia/vaultwarden/issues/4588 ) - The pull request fixed the manager role's ability to modify password entry collections, but instead traded off the issue with providing user's role more permissions then allowed.

MrUnknownDE closed this issue

2026-04-06 01:34:12 +02:00

MrUnknownDE added the enhancement troubleshooting enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement troubleshooting labels 2026-04-06 01:34:14 +02:00

Sign in to join this conversation.

No Label enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement enhancement troubleshooting troubleshooting

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#1065